Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

ntfs.sys - infected by Virus.Win32.Protector.c and braviax [Solved]

Started by rlew , Aug 25 2009 01:36 AM

  • This topic is locked This topic is locked

#1
rlew
Posted 25 August 2009 - 01:36 AM

rlew

    New Member

  • Member
  • Pip
  • 9 posts
First of all, my apologies for going against the rules of this Forum and opening a second topic, but

1) I have uncovered a new important fact that changes the nature of the infection
2) In my first post ( http://www.geekstogo...ml#topicoptions ) I have overzealously replied to my post five times with log files as requested in a related topic by another user and only then have I noticed that this should not be done because only unreplied topics are being handled.
I apologize - but this is following two sleepless nights struggling with the infections.

To get to the point, the infected computer runs Win XP Home SP3. Looking at the files I have become suspicious of the Windows\system32\drivers\ntfs.sys file because it is dated 21/08/2009 and 630kB rather than 574kB as on my other system and Windows XP CD. My suspicions grew as I discovered that this file is locked for opening (even in Safe mode) and won't allow copying.

What I did is booted the suspect computer to Linux Knoppix, was able to go online and submit the suspect file to Kaspersky file scan (www.kaspersky.com/scanforvirus). Sure enough, the report says:

ntfs.sys - infected by Virus.Win32.Protector.c

Previously I had believed it was only the braviax.exe file - the other details with the requisite logs are available in my other topic:
http://www.geekstogo...ml#topicoptions

Of course, I will happily repost the logs here, if requested.

I am waiting (and begging) for help.

--
Robert

Edited by rlew, 25 August 2009 - 01:37 AM.

  • 0

Advertisements

#2
rlew
Posted 28 August 2009 - 02:31 PM

rlew

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
OK, three days has passed and I really needed to get the computer up and running, so I've had to take action myself and want to report on this here.

I downloaded an ISO image for a Dr. Web Linux distribution with an AV scanner and booted off this image. Here are the infections it reported, in a nutshell:

Temp Internet Files/...Install[1].exe - 2 counts
C:\Windows\pss\ikowin32.exe Startup
C:\Windows\system32\drivers\ntfs.sys
C:\Windows\system32\dllcache\ntfs.sys
Two false positives

It offered to repair (!) the ntfs.sys file, and to my surprise it did (don't know if it had one in store somehow, found a clean copy in the /i386 directory, or was able to remove the virus code from the binary file. Whichever it was, I was impressed. Of course, at this point it was possible to replace the ntfs.sys file under Linux with NTFS support.

So that went very well. The scanner wasn't as successful with rogue registry entries, and these I just cleaned by hand having booted into Safe mode, and again into the default user (though this time traces were only found in the MUIcache section, probably perfectly harmless.

After this, all scans have come out clean and the computer has behaved well.

Thank you.
  • 0

#3
Transience
Posted 28 August 2009 - 06:32 PM

Transience

    Unofficial Music Guru

  • Retired Staff
  • 2,448 posts
Glad to hear you've figured this out I'll close it up, shoot me a PM if you have other problem and need this reopened or just start a new topic :).
  • 0

#4
Transience
Posted 28 August 2009 - 06:32 PM

Transience

    Unofficial Music Guru

  • Retired Staff
  • 2,448 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP